i'm currently running a website off 3 linux servers. I'd like to setup a private network and only allow port 80 traffic to one of the servers. I'd also like to setup a vpn so only I can access the servers via ssh or any port for developing/debugging.

How hard is this to setup and what do I need to get? Do enterprise/commercial routers have vpn functionality built in?

how do I handle DNS? eg- www.mydomain.com would need to point to the router, which forwards traffic to the webserver. Do I set the A record to the router, and somehow tell the router which server to send the http request to? And how would I make server1.mydomain.com resolve to server1 within the private network (without editing host files)? Would I need to run my own DNS (eg- powerdns?) to do this?

3 Answers
3

Get a good firewall. I recommend Astaro Security Gateway, but there are quite a few others that can do VPN and the (standard) traffic restrictions that you require.

If you have a mid-level PC with two NICs, the Astaro software is free. You can have it setup and configured in 60 to 90 minutes from when you burn the CD. Or you can buy a good quality hardware appliance and service/support for around US$1200. I would go with the appliance and support.

In your place, I'd go ahead and install shorewall on each linux box since it's a pretty effective and easy-to-use ( once you wrap your head around it ) firewall solution. Technically not needed if you're already behind a router/firewall but I sleep better at night with this in placec.

The configuration would pretty much entail closing down all ports in/out of the firewall other than what you're going to be needing : SSH, HTTP, HTTPS.

From that point on, all you need to worry about is minor routing issues : First you'll want to point your A record to your external ( internet side ) static IP address. If you don't have a static IP then you'll want to look into dynamic DNS services such as DynDNS.org.

Secondly, you'll want to tell the router ( whom responds to all requests to the external IP address ) what to do with the requests. So port-forward your required ports ( 22, 80, 443 ) to the server you want accepting external requests.

So, you can now SSH from the internet to your web server ( web1 ) since we did a port forwarding on the router. If you ever need to get to web2 or web3, you can proxy your ssh connection through web1 as such ( this can be automated through the use of your .ssh/config file and the ProxyCommand option ) :

ssh web1 nc -w 1 web2 22

You can also do port forwardings to access services on web2 & web3 :

ssh web1 -L 9999:web2:80 ( local port 9999 points to web2:80 )

For most cases, ssh is an acceptable alternative to VPNs from the admin/dev's point of view.